github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-29 21:29:24 +00:00
Code Issues Projects Releases Wiki Activity

AppArmor PodSecurityPolicy implementation

Browse Source
This commit is contained in:
Tim St. Clair
2016-08-17 17:24:47 -07:00
parent 52b3ef6f9c
commit 293770ef31
11 changed files with 493 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@@ -22,6 +22,8 @@ import (
"strings"
"testing"
"github.com/stretchr/testify/assert"
kadmission "k8s.io/kubernetes/pkg/admission"
kapi "k8s.io/kubernetes/pkg/api"
extensions "k8s.io/kubernetes/pkg/apis/extensions"
@@ -29,11 +31,14 @@ import (
"k8s.io/kubernetes/pkg/client/cache"
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
clientsetfake "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
"k8s.io/kubernetes/pkg/security/apparmor"
kpsp "k8s.io/kubernetes/pkg/security/podsecuritypolicy"
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
diff "k8s.io/kubernetes/pkg/util/diff"
)
const defaultContainerName = "test-c"
func NewTestAdmission(store cache.Store, kclient clientset.Interface) kadmission.Interface {
return &podSecurityPolicyPlugin{
Handler: kadmission.NewHandler(kadmission.Create),
@@ -610,6 +615,85 @@ func TestAdmitSELinux(t *testing.T) {
}
}
func TestAdmitAppArmor(t *testing.T) {
createPodWithAppArmor := func(profile string) *kapi.Pod {
pod := goodPod()
apparmor.SetProfileName(pod, defaultContainerName, profile)
return pod
}
unconstrainedPSP := restrictivePSP()
defaultedPSP := restrictivePSP()
defaultedPSP.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
}
appArmorPSP := restrictivePSP()
appArmorPSP.Annotations = map[string]string{
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault,
}
appArmorDefaultPSP := restrictivePSP()
appArmorDefaultPSP.Annotations = map[string]string{
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
}
tests := map[string]struct {
pod *kapi.Pod
psp *extensions.PodSecurityPolicy
shouldPass bool
expectedProfile string
}{
"unconstrained with no profile": {
pod: goodPod(),
psp: unconstrainedPSP,
shouldPass: true,
expectedProfile: "",
},
"unconstrained with profile": {
pod: createPodWithAppArmor(apparmor.ProfileRuntimeDefault),
psp: unconstrainedPSP,
shouldPass: true,
expectedProfile: apparmor.ProfileRuntimeDefault,
},
"unconstrained with default profile": {
pod: goodPod(),
psp: defaultedPSP,
shouldPass: true,
expectedProfile: apparmor.ProfileRuntimeDefault,
},
"AppArmor enforced with no profile": {
pod: goodPod(),
psp: appArmorPSP,
shouldPass: false,
},
"AppArmor enforced with default profile": {
pod: goodPod(),
psp: appArmorDefaultPSP,
shouldPass: true,
expectedProfile: apparmor.ProfileRuntimeDefault,
},
"AppArmor enforced with good profile": {
pod: createPodWithAppArmor(apparmor.ProfileNamePrefix + "foo"),
psp: appArmorDefaultPSP,
shouldPass: true,
expectedProfile: apparmor.ProfileNamePrefix + "foo",
},
"AppArmor enforced with local profile": {
pod: createPodWithAppArmor(apparmor.ProfileNamePrefix + "bar"),
psp: appArmorPSP,
shouldPass: false,
},
}
for k, v := range tests {
testPSPAdmit(k, []*extensions.PodSecurityPolicy{v.psp}, v.pod, v.shouldPass, v.psp.Name, t)
if v.shouldPass {
assert.Equal(t, v.expectedProfile, apparmor.GetProfileName(v.pod, defaultContainerName), k)
}
}
}
func TestAdmitRunAsUser(t *testing.T) {
createPodWithRunAsUser := func(user int64) *kapi.Pod {
pod := goodPod()
@@ -1212,6 +1296,7 @@ func goodPod() *kapi.Pod {
SecurityContext: &kapi.PodSecurityContext{},
Containers: []kapi.Container{
{
Name: defaultContainerName,
SecurityContext: &kapi.SecurityContext{},
},
},